Science and technology

The Stuxnet worm

A cyber-missile aimed at Iran?

THE internet is abuzz this week with speculation about Stuxnet, a "groundbreaking" computer worm that attacks industrial-control systems. Put that way, it doesn't sound very exciting. But the possibility that it might have been aimed at one set of industrial-control systems in particular—those inside Iranian nuclear facilities—has prompted one security expert to describe Stuxnet as a "cyber-missile", designed to seek out and destroy a particular target. Its unusual sophistication, meanwhile, has prompted speculation that it is the work of a well-financed team working for a nation state, rather than a group of rogue hackers trying to steal industrial secrets or cause trouble. This, in turn, has led to suggestions that Israel, known for its high-tech prowess and (ahem) deep suspicion of Iran's nuclear programme, might be behind it. But it is difficult to say how much truth there is in this juicy theory.

The facts are these. Stuxnet first came to light in June, when it was identified by VirusBlokAda, a security firm based in Belarus. The following month Siemens, a German industrial giant, warned its customers that their "supervisory control and data acquisition" (SCADA) management systems were vulnerable to the worm. Specifically, it targets a piece of Siemens software, called WinCC, which runs on Microsoft Windows. For security reasons such systems are usually not connected to the internet. But Stuxnet spreads via USB memory sticks, or key drives. When an infected memory stick is plugged into a computer, the Stuxnet software checks to see if WinCC is running. If it is, it tries to log in, install a backdoor control system and contact a server in Malaysia for instructions. If it cannot find a copy of WinCC, it looks for other USB devices and tries to copy itself onto them. It can also spread across local networks via shared folders and print spoolers. (Here are the gory details.)

At first it was assumed that Stuxnet was designed to conduct industrial espionage or allow hackers to hold companies to ransom by threatening to shut down vital systems. But it has some unusual characteristics. WinCC is a reasonably obscure SCADA management system. Hackers hoping to target as many companies as possible would have focused on other, more popular, control systems. And according to Ralph Langner, a German security expert who published his own analysis last week, Stuxnet examines the system it is running on and, only if certain very specific characteristics are found, shuts down specific processes. All this suggests that a particular system was being targeted.

Moreover, Stuxnet uses the combination of two compromised security certificates (stolen from companies in Taiwan) and a previously unknown security hole in Windows to launch itself automatically when a user tries to access a memory stick on which it is installed. The use of previously unknown security holes (known in the trade as "zero-day vulnerabilities") by viruses is not unusual. But Stuxnet can exploit four entirely different ones in order to worm its way into a system. Normally, anyone who discovers a new zero-day exploit can expect to sell it for a handsome fee to hackers who can then make use of it. Whoever built Stuxnet, however, was prepared to pay for four such exploits, which cannot have been cheap, to boost its chances of success. They also had deep knowledge of particular control systems. So it seems to be an expensive piece of software aimed at one specific facility.

But which one? Microsoft said in August that more than 45,000 computers around the world had been infected by Stuxnet. An analysis by Symantec, a computer-security firm, found that 60% of infected machines were in Iran, 18% in Indonesia and 8% in India. It could be just a coincidence that Iran has been hardest hit. But if Stuxnet has been deliberately aimed at Iran, one possible target is its Bushehr nuclear reactor, though there is no specific evidence for this. It is true that according to this screenshot from UPI, the Bushehr reactor is controlled by Siemens systems, including the WinCC software that Stuxnet targets. Dr Langner speculates that it could have been infected via AtomStroyExport, the Russian firm that is building the plant. Bushehr has been dogged by problems for years and its opening was recently delayed once again. But given the long history of delays, there is no need to invoke a computer worm to explain the latest one. A rival theory is that the target was Iran's uranium-enrichment plant at Natanz, and that Stuxnet successfully shut down some of its centrifuges in early 2009.

We are deep into the realm of speculation here. Readers are invited to follow the links in this post to wade as far as they like into the various conspiracy theories floating around (such as this one, which spots a Biblical reference in a project name buried in the Stuxnet code). Two furtherreports on the worm are due be released at a computer-security conference starting in Vancouver on September 29th. They may clear up some of the mysteries surrounding Stuxnet—but they may simply prompt further speculation.

Here's one theory, which is admittedly based entirely on open source information that may not be entirely accurate. In late July and early August two petrochemical factories in southern Iran exploded purportedly due to technical errors. In addition, there have been a number of gas pipeline explosions also ostensibly due to unintentional human error. The Natanz facility has apparently lost 3,000 of its 9,000 centrifuges without declared cause. Likewise, the Bushehr reactor was supposed to go online weeks ago, but has not. The source of the infection appears to be a Russian contractor with extensive work in Iran. I don't want to sound like a conspiracy theorist, but there are tons of Jewish Russian emigres to Israel that are computer engineers. Israel has long had one of the most advanced high tech sectors. In an unexplained incident, the Israelis barred the Ipad from launching in April because it supposedly uses a more powerful Wifi, which now seems to have been so strictly enforced lest it interfere with their national security electronic operations. In this vein, the Israeli version of the NSA (Unit 8200) has been highlighted recently in news articles as has the Israeli initiation electronically of a kill switch for Syrian radar during the 2007 raid and their theft of Syrian nuclear plans via a Trojan horse. Ehud Barak (Israel's defense minister) recently appeared on Fox News and stated that Iran's goal of nuclear weapons capability was now 1.5-2 years and not the 1 year previously stated. I think the Israelis (Unit 8200? the Mossad?) in conjunction with the NSA have penetrated Iran's computer infrastructure and whenever an industrial plant/critical infrastructure goes online it mysteriously fails. I think the reason the free world is not confident about their ability to take down the Iranian regime's nuclear weapons program solely this way is because of the redundancy in terms of sites and that eventually the Iranians will wisen up. A cyber attack makes sense because it avoids claims of responsibility, which fits with President Obama's MO (think drone strikes in which he displays tourette's with the hellfire missile button) and the Israelis desire to avoid a transparent casus belli that would engender Hezbollah rocket attacks, possibly with Syrian/Iranian provided chemical weapons. Adding to the intrigue, a Syrian/North Korean/Iranian chemical weapons plant in Syria mysteriously exploded in 2007. Remarkable that 70 years after Teller, Bohrs, Einstein, Fineman, Oppenheimer and other Jewish European/American scientists as well as non-Jewish American/European scientists inaugurated the atomic bomb, a 21st century version of this group has now created a guided cyber missile to destroy the Iranian regime's pursuit of a nuclear weapon. This is particularly astounding since it's not only a cyber weapon, but light years ahead of anyone else. It's as if air to surface missiles had not been invented and the free world already has JDAMs. I should say that I believe the Iranian regime has enslaved a great people, the Persian people and 2,000 years after King Cyrus of Persia helped the Jews build their second state of Israel, the third Jewish state of Israel will return the favor. Ironically, Ahmadenijad has threatened to wipe Israel off the map, but if not for the Osirak attack, Iran would have been wiped off the map as Saddam Hussein used WMD (chemical) in the Iraq-Iran war.

I believe the Israelis are the primary architects not merely because they are unabashedly aggressive in preventing their sworn enemies from acquiring nuclear capabilities (Syria-2007, Iraq -1981), but unlike the United States would not hesitate to launch a covert first strike. This is confirmed by the prescient reuters article as well as the US statement concerning its unwillingness to strike preemptively through cyber war. Taking into consideration the technical aspects, the Israelis also emerge as the most likely driver of this project. Apparently, the zero day vulnerabilities of Microsoft were exploited in addition to Siemens PLC vulnerabilities and stolen certificates from a Taiwanese company. I have a hard time believing the US would conduct corporate espionage on an American based firm. I doubt the Israelis would have any moral qualms developing an asset at Microsoft or simply stealing the information. Certainly, the constant shuttling of Ehud Barak to DC recently cannot all be explained by an obsession with Israel's qualitative military advantage, which they manage to maintain despite all of these meetings. Clearly, he has been updating Sec Def Gates on Iran mono a mono. Sec Def Gates leaked memo in January about the lack of contingency plans for confronting Iran militarily also began six months before the virus was first noted. Clearly, he knew about it and realized that this would potentially spark a regional conflagration, when the Stuxnet effects were understood by its victims. As for the theory about the issues with projects going online: PLCs supposedly control critical functions of industrial production. I think the virus is written in a way that activates a change in parameters, when an industrial activity starts up as opposed to merely cause self destruction, when initially infected. This allows for greater deniability as well more harm since time/money/manpower has been completely invested and lost. This virus has supposedly been around since early 2009, coinciding with President Obama's tenure. The Israelis may have decided to undertake this while George W. Bush was in office to hedge their bets in case the new commander in chief did not have the willingness to confront Iran. I think whatever systems are infected are already inexorably sabotaged.

While it is possible that the Germans are involved too, I believe the Brits have played a part as well. The NSA and their British counterpart GCHQ work closely together. GCHQ is one of the most sophisticated electronic government agencies in the world. In addition, a GCHQ employee, Gareth Williams, was murdered a month ago. He was apparently working closely with the NSA and seconded to MI6 on a cyber weapons project. He had spent the past year on sabbatical after working at Fort Meade (NSA). This may be trivial, but his father is an employee at Wylfa nuclear power station and, in an indirect way, he likely understood how to take down a similar installation. Also, a middle eastern person between 20-30 was reportedly seen leaving the apartment building. Maybe the Iranians could only get to him because the Iranian regime has a presence there as opposed to the US or Israel. He was killed in August by which time the Iranians were likely aware of the malware (it was initially reported by a Bulgarian firm in June). Not to be a master of the obvious, but regardless, his death is tragic.

A cyber missile may turn to America also. Those who are making more and more dangerous weaponry they must understand these dangerous weaponry as fatal you also. Suppose tomorrow ant terrorist group can acquire this technology they can attrack on America also.America inventing this kind weaponry digging her own mausoleum

Stuxnet/Israel equation: It is amazing that no matter what happens in the world, your journalists or reporters, always have a good word to say about Israel.

With respect to the above subject, if indeed Israel has the magic bullet to destroy the software which operates the Iranian nuclear plant,it would be short of a miracle. But then again, maybe it is a miracle. In this way, Israel does not have to take out the Iranian threat by hardware. Hey, if it Israel, congratulations for a job well done!!!

Here's one theory, which is admittedly based entirely on open source information that may not be entirely accurate. In late July and early August two petrochemical factories in southern Iran exploded purportedly due to technical errors. In addition, there have been a number of gas pipeline explosions also ostensibly due to unintentional human error. The Natanz facility has apparently lost 3,000 of its 6,000 centrifuges without declared cause. Likewise, the Bushehr reactor was supposed to go online weeks ago, but has not. The source of the infection appears to be a Russian contractor with extensive work in Iran. I don't want to sound like a conspiracy theorist, but there are tons of Jewish Russian emigres to Israel that are computer engineers. Israel has long had one of the most advanced high tech sectors. Ehud Barak (Israel's defense minister) recently appeared on Fox News and stated that Iran's goal of nuclear weapons capability was now 1.5-2 years and not the 1 year previously stated. I think the Israelis (Unit 8200? the Mossad?) in conjunction with the NSA have penetrated Iran's computer infrastructure and whenever an industrial plant/critical infrastructure goes online it mysteriously fails. I think the reason the free world is not confident about their ability to take down the Iranian regime's nuclear weapons program solely this way is because of the redundancy in terms of sites and that eventually the Iranians will wisen up. A cyber attack makes sense because it avoids claims of responsibility, which fits with President Obama's MO (think drone strikes in which he displays tourette's with the hellfire missile button) and the Israelis desire to avoid a transparent casus belli that would engender Hezbollah rocket attacks, possibly with Syrian/Iranian provided chemical weapons. Adding to the intrigue, a Syrian/North Korean/Iranian chemical weapons plant in Syria mysteriously exploded in 2007. Remarkable that 70 years after Teller, Bohrs, Einstein, Fermi (married to a Jew), Fineman, Oppenheimer and other Jewish European/American scientists and others inaugurated the atomic bomb Jewish Europeans have now created a guided cyber missile to destroy the Iranian regime's pursuit of a nuclear weapon. This is particularly astounding since it's not only a cyber weapon, but light years ahead of anyone else. It's as if air to surface missiles had not been invented and the free world already has JDAMs. Wow! I should say that I believe the Iranian regime has enslaved a great people, the Persian people and 2,000 years after King Cyrus of Persia helped Jews build their second state of Israel, the third Jewish state of Israel will return the favor. Ironically, Ahmadenijad has threatened to wipe Israel off the map, but if not for the Osirak attack, Iran would have been wiped off the map as Saddam Hussein used WMD (chemical) in the Iraq-Iran war.

Yep, if all that is dangerous isn't George W's fault then it has to be AIPAC or Israel. Oh, and don't bother asking me to continue my subscription. I can get the exact same coverage from the New York Times.

I still recall that phrase, uttered by a villain in a Bond film in referring to some government(s). It applies here as well. One has to marvel at the ingenuity of those responsible for such computer viruses. Also reflect on what good they might otherwise have created if their focus elsewhere.

These nation states are bickering with each other over paradigms of the 19th, 20th centuries and before, all the while ignoring where this world of ours is really headed. Rome is burning while they fiddle, and by Rome I mean our environment, global over-population, basis of these economies, and our collective civilization within it.

This is definitely an interesting development. It may be worthwhile to note that the number of operating centrifuges at Natanz has apparently declined in recent months, and that some people are suggesting that could be because of Stuxnet.

Gee, that would have never occurred to me. And probably not to the parties who spent six months or a year writing this sort of code. thanks for the warning. Pass it on to China and Russia while you're at it.

Why is everyone so upset that Iran might get nuclear weapons? Other irresponsible rogue nations bent on world domination have hundreds or thousands of them. Such as America. Russia also has them but are not after world domination, just the countries next to them. Apply the NRA brilliant logic to nuclear weapons. If everyone has them, no one gets hurt.

While the US like to finger its adversary for hacker attacks, it is an open secret most of the cyber attacks have been launched from servers located in the US. This cyber hypocrisy should not surprising because the US have always a double standard on almost all things with dealing with itself.

Even if it is speculation, this is the stuff of novels. An untraceable worm targeted at a particular system, with the possible purpose of shutting down what could be seen as the greatest threat to Israel.

Now, if Israel and the possibly emerging second Palestinian state could only come to an agreement, the world could be looking at a lot more peace in the middle east.

How can the US and Britain support Netanyahu in standing up for Israel and achieving a compromise that helps both Israel and Palestinians? Perhaps additional funding for clean energy research based in Israel?